Modernizing Authentication — What It Takes to Transform Secure Access
AT&T now says it has "turned off the feature" that made it possible for an independent security watchdog group to easily penetrate the telco's data networks to access the e-mail addresses of more than 114,000 Apple iPad 3G owners, including some of the biggest names in media, the military and politics.
The security gaffe, first reported by Gawker, allowed representatives from Goatse Security to uncover subscribers' e-mail addresses and match them with an associated ID used to authenticate the subscriber on AT&T's network, known as the ICC-ID.
ICC-ID stands for integrated circuit card identifier and, according to AT&T (NYSE: T), it's used to identify the SIM cards that associate a mobile device with a particular subscriber.
According to the Gawker report, White House Chief of Staff Rahm Emanuel, New York City Mayor Michael Bloomberg, New York Times Co. CEO Janet Robinson and dozens, if not hundreds, of high-ranking officials in various government and military agencies were among the 114,000-plus iPad owners affected by the breach.https://o1.qnsr.com/log/p.gif?;n=203;c=204634421;s=15939;x=7936;f=201702151714490;u=j;z=TIMESTAMP;a=20304455;e=i
On Thursday, Dallas-based AT&T said it took immediate steps to resolve the security breach.
"This issue was escalated to the highest levels of the company and was corrected by Tuesday," AT&T said in a statement. "We have essentially turned off the feature that provided the e-mail addresses."
Apple (NASDAQ: AAPL) officials were not immediately available for comment.
AT&T said it is continuing to investigate the incident and will inform customers whose e-mails were impacted by the security breach.
While there's no denying the iPad's immense popularity, it's precisely these types of security vulnerabilities that have companies reassessing whether or not these tablet PCs are right for the enterprise.
AT&T said it was informed by a "business customer" of the potential exposure of their iPad ICC IDs, adding that the person or group who discovered this gap did not contact AT&T directly.
That conflicts with Goatse Security's assertion that once it managed to uncover the security flaw, it immediately notified AT&T.
On its Website, Goatse Security said it had been able to find the compromised data through a script on AT&T's site that was accessible to anyone on the Internet. When provided with an ICC-ID as part of an HTTP request, the script would return the associated e-mail address, in what was apparently intended to be an AJAX-style response within a Web application, Goatse said.